This tutorial shows how to implement SPF (Sender Policy Framework) in a Postfix 2.x installation. Sender Policy Framework is an open standard that specifies a technical method of preventing sender address spoofing (see http://www.openspf.org/Introduction). There are many extensions and SPF patches available for Postfix, but most require you to recompile Postfix. Therefore, we will install the postfix-policyd-spf-perl package from openspf.org, which is a Perl package and can be deployed to existing Postfix installations (no Postfix compilation required).
This has worked perfectly on CentOS 8, RHEL 8 and Debian
We will start by looking for the packages to install with yum search spf
[root@server ~]# yum search spf Última comprobación de caducidad de metadatos hecha hace 1:51:55, el vie 08 ene 2021 18:12:17 CET. ================= Coincidencia en Nombre , Resumen: spf ================= libspf2.x86_64 : An implementation of the SPF specification libspf2-apidocs.noarch : API documentation for the libspf2 library libspf2-devel.x86_64 : Development tools needed to build programs that use libspf2 libspf2-progs.x86_64 : Programs for making SPF queries using libspf2 perl-Mail-SPF_XS.x86_64 : An XS implementation of Mail::SPF pypolicyd-spf.noarch : SPF Policy Server for Postfix (Python implementation) python3-pyspf.noarch : Python module and programs for SPF (Sender Policy Framework) ================= Coincidencia en Nombre: spf ================= perl-Mail-SPF.noarch : Object-oriented implementation of Sender Policy Framework [root@server ~]#
Let’s install the packages: let’s search for the packages to install with yum search spf (en CentOS,RHEL, en Debian apt-cache search spf)
If you use CentOS, RedHat, etc… use e.g.: yum install python3-pyspf
If you use Debian, Ubuntu, etc… use e.g.: apt-get install python3-pyspf
pypolicyd-spf python3-pyspf perl-Mail-SPF
We will edit, if appropriate the file:
/etc/python-policyd-spf/policyd-spf.conf
We can use the “vi” or “vim” editor
vim /etc/python-policyd-spf/policyd-spf.conf
We can include the WhiteList to include the IPs, or Domain_Whitelist, to include only some domains, or all together… for example
### WhiteList = 81.88.48.32/27,81.88.50.224/27,195.110.124.132 Domain_Whitelist = linuxpary.es,extrehost.com ####
The file must exist: /usr/bin/policyd-spfwhich in this case should be a link to: /usr/libexec/postfix/policyd-spf
[root@arash ~]# ll /usr/bin/policyd-spf lrwxrwxrwx [...] /usr/bin/policyd-spf -> /usr/libexec/postfix/policyd-spf Para lo que crearemos en enlace de la siguiente manera: Primero, debemos asegurarnos que existe: /usr/libexec/postfix/policyd-spf, así: ll /usr/libexec/postfix/policyd-spf Una vez comprobado que existe, creamos el enlace:
ln -sf /usr/libexec/postfix/policyd-spf /usr/bin/policyd-spf
We will return to the previous point, to verify that it exists: /usr/bin/policyd-spf, and it is a link created to the previous point.
[root@arash ~]# ll /usr/bin/policyd-spflrwxrwxrwx [...] /usr/bin/policyd-spf -> /usr/libexec/postfix/policyd-spf
Ahora, editaremos el fichero /etc/postfix/master.cf e incluiremos al final del fichero:
policyd-spf unix - n n - 0 spawn user=nobody argv=/usr/bin/policyd-spf
and in the file /etc/postfix/main.cf we will include… in the line: smtpd_recipient_restrictionsal final: check_policy_service unix:private/policyd-spf
Remaining as follows:
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_policy_service unix:private/policyd-spf
In the /etc/postfix/main.cf file and look for the smtpd_recipient_restrictions directive. should contain accept_unauth_destination in that directive, and right after accept_unauth_destination add check_policy_service unix:private/policyd-spf. But the truth is that I have reject_unauth_destination, and it works just as well.
Then we restart postfix
service postfix restart
We check that things work…
tail -f /var/log/maillog
With this, we would have finished installing and configuring everything.
If you liked it, rate the article and share it on your social networks.
